Hello! I'm fairly new to the stack but I have an ELK system setup and consuming logs from a production webserver. I'd like to setup some Watches. When I go to setup a Watch it asks for a name and index, so I provide a name and index (logstash-*). But how do I define my query? For example I'd like to narrow things down by app_id, type and then a condition (response code from server).
All I'm provided with is this:
So where do I set my query?
Hey,
you have selected to configure a threshold alert, which basically is a threshold above a certain aggregated value.
If you want to use a query, you need to write a watch yourself using the Advanced watch method. This means you are writing the watch yourself. The first thing you should take a look is probably getting started with watcher and then the search input
hope this helps!
--Alex
Ahh! So there is no UI component to select pieces and put together a watch. Was hopeful given that some of the SaaS solutions based on ELK have that. All good, will read!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
